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OFFICE  OF  PERSONNEL 
MANAGEMENT 

5  CFR  Part  930 

Training  Requirement  for  the 
Computer  Security  Act 

agency:  Office  of  Personnel 
Management. 

ACTION:  Interim  regulation. 

summary:  This  regulation  implements 
Pub.  L.  100-235,  the  Computer  Security 
Act  of  1987,  which  requires  training  for 
all  employees  responsible  for  the 
management  and  use  of  Federal 
computer  systems  that  process  sensitive 
information.  Under  the  regulation 
agencies  will  be  responsible  for 
identifying  the  employees  to  be  trained 
and  providing  appropriate  training. 
DATES:  Interim  rule  effective  July  13, 

1988.  Submit  written  comments  on  or 
before  September  12, 1988. 

ADDRESSES:  Send  written  comments  to 
Mr.  Harold  Segal,  Chief,  Policy  and 
Oversight  Branch,  Office  of  Training  and 
Development,  Training  and 
Investigations,  Office  of  Personnel 
Management,  P.O.  Box  7230, 

Washington,  DC  20044,  or  deliver  to  1121 
Vermont  Avenue  NW.,  Room  1215, 
Washington,  DC  20005. 

FOR  FURTHER  INFORMATION  CONTACT: 

Ms.  Constance  Cuitian,  Policy  and 
Oversight  Branch,  (202)  632-9769. 
SUPPtEMENTARV  INFORMATION:  Public 
Law  100-235,  the  “Computer  Security 
Act  of  1987”,  requires  mandatory 
periodic  training  for  all  employees 
involved  in  the  management  or  use  of 
Federal  computer  systems  that  contain 
sensitive  information.  In  order  to 
accomplish  this  goal  the  law  requires 
the  National  Bureau  of  Stamiards  (NBS) 
to  develop  guidelines  for  the  training  of 
employees  in  security  awareness  and 
accepted  security  practices.  The  Office 
of  Personnel  Management  (OPM), 
however,  is  required  to  issue  regulations 
for  the  training  within  six  months  (July 
8, 1988)  of  the  passage  of  the  law.  The 
law  further  requires  that  agencies 
initiate  training  within  60  days  of  the 
issuance  of  the  regulation.  This  means 
that  agencies  should  start  their  training 
programs  by  September  8, 1988. 

The  preparation  of  these  regulations 
required  extensive  coordination  with 
NBS.  Pursuant  to  sections  553  (b)(3)  and 
(d)(3)  of  title  5  of  the  United  States 
Code,  I  find  that  good  cause  exists  to 
make  this  amendment  effective  in  less 
than  30  days.  The  regulation  is  being 
made  effective  immediately  in  order  to 
meet  a  statutory  deadline.  Even  though 
we  are  issuing  these  regulations  as 


interim  effective  immediately,  we  are 
inviting  comments  for  a  60-day  period. 
Those  comments  will  be  given 
consideration  in  the  final  regulations 
which  we  plan  to  issue  within  120  days 
after  the  comment  period.  OPM  has 
worked  with  NBS  in  defining  areas  that 
should  be  included  in  training  activities 
and  these  are  embodied  in  the 
regulation.  The  principal  features  of  the 
regulation  are: 

(1)  The  subject  matter  of  the  training 
should  stress  awareness  of  the  computer 
system's  vulnerabilities  and  risks  and  be 
organized  around  each  agency's 
computer  security  policies,  practices  and 
procedures: 

(2)  Training  is  a  continuing  process; 
and, 

(3)  Refresher  training  must  be 
provided  as  appropriate. 

The  depth  of  coverage  for  each  of  the 
subjects  listed  in  the  regulation  should 
depend  on  the  sensitivity  of  the  data  to 
which  the  employee  has  access  and  the 
employee's  level  of  responsibility  and 
authority  with  respect  to  the 
information.  Each  agency  will  have  to 
decide  the  appropriate  level  of  training 
for  its  employees.  The  agency  may 
include  computer  security  awareness  as 
a  part  of  existing  computer  training, 
management  courses  and  employee 
orientation,  in  addition,  agencies  should 
explore  non-classroom  modes  of 
delivery  of  training  such  as  computer 
assisted  training,  video  tapes, 
workbooks,  job  aids  and  desk  guides. 

The  Congressional  Budget  ORice 
estimates  that  about  half  of  all 
Government  employees  will  need 
computer  security  training  to  make  them 
aware  of  the  vulnerability  of  sensitive 
information  and  the  risks  of 
unauthorized  use.  Training  for  most  of 
these  employees  will  not  be  technical  in 
nahire  but  will  teach  them  how  to 
safeguard  the  information  to  which  they 
have  access.  Although  training  is  of  vital 
importance  to  a  security  program,  it  is 
only  a  part  of  a  larger  information 
management  system.  Agency 
management  needs  to  foster  a  work 
environment  where  information  security 
is  seen  as  critical  to  accomplishing  the 
agency's  mission. 

This  regulation  will  be  issued  in  Part 
930  of  the  Code  of  Federal  Regulations 
and  subsequent  Federal  Personnel 
Manual  guidance  will  be  issued  as  an 
appendix  to  Chapter  410.  The  regulation 
may  be  changed  when  NBS  issues  its 
guidelines.  The  law  allows  the  agency 
head  the  option  to  exempt  the  agency 
from  the  training  requirements  of  the 
guidelines  if  it  is  determined  that  the 
agency  has  an  alternative  training 
program  at  least  as  effective  as  the  one 
described  in  the  guidelines. 


Office  of  Personnel  Management. 

Constance  Horner, 

Director. 

Accordingly,  the  Office  of  Personnel 
Management  adds  Subpart  C  to  Part  930 
to  read  as  follows: 

Subpart  C— Employees  Responsible  for  the 
Management  or  Use  of  Federal  Computer 
Systems 

Sec. 

930.301  Training  requirement. 

930.302  Initial  training. 

930.303  Continuing  training. 

930.304  Refresher  training. 

Subpart  C— Employees  Responsible 
for  the  Management  or  Use  of  Federal 
Computer  Systems 

Authority:  40  U.S.C.  759  note. 

§  930.301  Training  requirement. 

(a)  The  head  of  each  agency  shall 
identify  and  provide  training  in 
computer  security,  which  emphasizes  an 
awareness  of  the  vulnerabilities  and 
risks  of  the  systems,  to  all  employees 
responsible  for  the  management  or  use 
of  Federal  computer  systems*  that 
process  sensitive  information.^ 

(b)  The  objective  of  the  training  is  to 
provide  employees  an  awareness  of  the 
vulnerabilities  and  risks  of  the  computer 
system.  The  training  should  also  provide 
the  knowledge  and  skills  needed  to 
apply  an  agency's  computer  security 
policies,  practices,  and  procedures. 

(c)  The  training  shall  include  as 
appropriate  agency  computer  security 
practices  and  procedures  for: 

(1)  Meeting  information  security 
objectives; 

(2)  Responsibility  and  accountability: 

(3)  Information  accessibility,  handling, 
and  storage; 

(4)  Physical  and  environmental  hazard 
protection: 

(5)  System  and  data  access  controls: 

(6)  Emergency  and  disaster  situations; 

•  Under  the  statute,  the  term  ‘‘Federal  computer 
system":  (A)  means  a  computer  system  operated  by 
a  Federal  agency  or  by  a  contractor  of  a  Federal 
agency  or  other  organization  that  processes 
information  (using  a  computer  system)  on  behalf  of 
the  Federal  Government  to  accomplish  a  Federal 
function;  and 

(B)  includes  automatic  data  processing  equipment 
as  that  term  is  defined  in  section  111(a)(2)  of  the 
Federal  Property  and  Administrative  Services  Act 
of  1949. 

*  Under  the  statute,  the  term  "sensitive 
information"  means  any  information,  the  loss, 
misuse,  or  unauthorized  access  to  or  modification  of 
which  could  adversely  affect  the  national  interest  or 
the  conduct  of  Federal  programs,  or  the  privacy  to 
which  individuals  are  entitled  under  section  552a  of 
title  5,  United  States  Code  (the  Privacy  Act),  but 
which  has  not  been  specifically  authorized  under 
criteria  established  by  an  Executive  order  or  an  Act 
of  Congress  to  be  kept  secret  in  the  interest  of 
national  defense  or  foreign  policy. 
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(7)  Identification  of  threats  and 
vulnerabilities;  and 
(81  Other  security  related  matters. 

§  930.302  Initial  training. 

The  head  of  each  agency  shall  start 
the  initial  required  training  for  all 
employees  responsible  for  the 
management  or  use  of  Federal  computer 
systems  that  process  sensitive 
information  within  60  days  of  the 


effective  date  of  this  regulation.  The 
head  of  the  agency  shall  provide  the 
initial  required  training  to  all  such  new 
employees  within  60  days  of  their 
appointment. 

§  930.303  Continuing  training. 

The  head  of  each  agency  shall  provide 
training  whenever  there  is  a  significant 
change  in  the  agency  information 
security  environment  or  procedures. 


§  930.304  Refresher  training. 

Computer  security  awareness 
refresher  training  which  covers,  as 
appropriate,  the  topics  outlined  in 
§  930.301  of  this  part  shall  be  given  as 
frequently  as  determined  necessary  by 
the  agency  based  on  the  sensitivity  of 
the  information. 
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